ci(coverage): disable persist-credentials so the app token is used for the push (#1466)

actions/checkout persists the default GITHUB_TOKEN as an http.extraheader that overrides the app-token credentials embedded in the push URL, so the push authenticated as github-actions[bot] (not a ruleset bypass actor) and was rejected by the require-PR rule. persist-credentials: false lets the mfc-map-bot app token actually be used, so its ruleset bypass applies. This lets the require-PR rule be restored while the bot still pushes the refreshed map.

Author: sbryngelson

.github/workflows/coverage-refresh.yml

@@ -22,8 +22,14 @@ jobs:
       group:  phoenix
       labels: gt
     steps:
+      # persist-credentials: false stops actions/checkout from configuring the
+      # default GITHUB_TOKEN as an http.extraheader, which otherwise OVERRIDES the
+      # app-token credentials embedded in the push URL below — making the push
+      # authenticate as github-actions[bot] (not a ruleset bypass actor) and get
+      # rejected by the require-PR rule. With it off, the app token is used and the
+      # mfc-map-bot bypass applies.
       - uses: actions/checkout@v4
-        with: { clean: false }
+        with: { clean: false, persist-credentials: false }
       - name: Build + collect coverage map (SLURM)
         run: bash .github/scripts/submit-slurm-job.sh .github/workflows/common/coverage-refresh.sh cpu none phoenix
       # Mint a short-lived GitHub App installation token. The app is on the master